azurerm_netapp_volume - support for the kerberos_enabled, smb_conti…

…nuous_availability_enabled, kerberos_5_read_only_enabled, kerberos_5_read_write_enabled, kerberos_5i_read_only_enabled, kerberos_5i_read_write_enabled, kerberos_5p_read_only_enabled, kerberos_5p_read_write_enabled properties (#25385) * upd: adding support for kerberos * add smb availablity support * add new props to flatten * fix kerberos volume implementation * remove unnecessary conversion * refactor * refactor, add descriptions * fix typo * properties should force new creation * add note * update docs * update docs * update description * Update internal/services/netapp/netapp_volume_resource.go Co-authored-by: kt <kt@katbyte.me> * rename props --------- Co-authored-by: rizkybiz <justin.defrank@hashicorp.com> Co-authored-by: kt <kt@katbyte.me>
hashicorp · Mar 26, 2024 · 29ed555 · 29ed555
1 parent 0fd1fb8
commit 29ed555
Show file tree

Hide file tree

Showing 2 changed files with 110 additions and 44 deletions.
diff --git a/internal/services/netapp/netapp_volume_resource.go b/internal/services/netapp/netapp_volume_resource.go
@@ -134,6 +134,21 @@ func resourceNetAppVolume() *pluginsdk.Resource {
 				},
 			},
 
+			"kerberos_enabled": {
+				// Due to large infrastructure requirements, there is not a reliable way to test Kerberos volumes in a shared environment at this time
+				Type:        pluginsdk.TypeBool,
+				Optional:    true,
+				ForceNew:    true,
+				Description: "Enable to allow Kerberos secured volumes. Requires appropriate export rules as well as the parent `azurerm_netapp_account` having a defined AD connection.",
+			},
+
+			"smb_continuous_availability_enabled": {
+				Type:        pluginsdk.TypeBool,
+				Optional:    true,
+				Description: "Continuous availability option should be used only for SQL and FSLogix workloads. Using it for any other SMB workloads is not supported.",
+				ForceNew:    true,
+			},
+
 			"security_style": {
 				Type:         pluginsdk.TypeString,
 				Optional:     true,
@@ -206,6 +221,31 @@ func resourceNetAppVolume() *pluginsdk.Resource {
 							Type:     pluginsdk.TypeBool,
 							Optional: true,
 						},
+
+						"kerberos_5_read_only_enabled": {
+							Type:     pluginsdk.TypeBool,
+							Optional: true,
+						},
+						"kerberos_5_read_write_enabled": {
+							Type:     pluginsdk.TypeBool,
+							Optional: true,
+						},
+						"kerberos_5i_read_only_enabled": {
+							Type:     pluginsdk.TypeBool,
+							Optional: true,
+						},
+						"kerberos_5i_read_write_enabled": {
+							Type:     pluginsdk.TypeBool,
+							Optional: true,
+						},
+						"kerberos_5p_read_only_enabled": {
+							Type:     pluginsdk.TypeBool,
+							Optional: true,
+						},
+						"kerberos_5p_read_write_enabled": {
+							Type:     pluginsdk.TypeBool,
+							Optional: true,
+						},
 					},
 				},
 			},
@@ -303,15 +343,17 @@ func resourceNetAppVolume() *pluginsdk.Resource {
 			},
 
 			"smb_non_browsable_enabled": {
-				Type:     pluginsdk.TypeBool,
-				Optional: true,
-				Default:  false,
+				Type:        pluginsdk.TypeBool,
+				Optional:    true,
+				Default:     false,
+				Description: "Enable non browsable share setting for SMB/Dual Protocol volume. When enabled, it restricts windows clients to browse the share",
 			},
 
 			"smb_access_based_enumeration_enabled": {
-				Type:     pluginsdk.TypeBool,
-				Optional: true,
-				Default:  false,
+				Type:        pluginsdk.TypeBool,
+				Optional:    true,
+				Default:     false,
+				Description: "Enable access based enumeration setting for SMB/Dual Protocol volume. When enabled, users who do not have permission to access a shared folder or file underneath it, do not see that shared resource displayed in their environment.",
 			},
 		},
 	}
@@ -348,6 +390,8 @@ func resourceNetAppVolumeCreate(d *pluginsdk.ResourceData, meta interface{}) err
 	volumePath := d.Get("volume_path").(string)
 	serviceLevel := volumes.ServiceLevel(d.Get("service_level").(string))
 	subnetID := d.Get("subnet_id").(string)
+	kerberosEnabled := d.Get("kerberos_enabled").(bool)
+	smbContiuouslyAvailable := d.Get("smb_continuous_availability_enabled").(bool)
 
 	var networkFeatures volumes.NetworkFeatures
 	networkFeaturesString := d.Get("network_features").(string)
@@ -480,6 +524,8 @@ func resourceNetAppVolumeCreate(d *pluginsdk.ResourceData, meta interface{}) err
 			CreationToken:             volumePath,
 			ServiceLevel:              &serviceLevel,
 			SubnetId:                  subnetID,
+			KerberosEnabled:           &kerberosEnabled,
+			SmbContinuouslyAvailable:  &smbContiuouslyAvailable,
 			NetworkFeatures:           &networkFeatures,
 			SmbNonBrowsable:           &smbNonBrowsable,
 			SmbAccessBasedEnumeration: &smbAccessBasedEnumeration,
@@ -686,6 +732,8 @@ func resourceNetAppVolumeRead(d *pluginsdk.ResourceData, meta interface{}) error
 		d.Set("volume_path", props.CreationToken)
 		d.Set("service_level", string(pointer.From(props.ServiceLevel)))
 		d.Set("subnet_id", props.SubnetId)
+		d.Set("kerberos_enabled", props.KerberosEnabled)
+		d.Set("smb_continuous_availability_enabled", props.SmbContinuouslyAvailable)
 		d.Set("network_features", string(pointer.From(props.NetworkFeatures)))
 		d.Set("protocols", props.ProtocolTypes)
 		d.Set("security_style", string(pointer.From(props.SecurityStyle)))
@@ -843,16 +891,28 @@ func expandNetAppVolumeExportPolicyRule(input []interface{}) *volumes.VolumeProp
 			unixReadOnly := v["unix_read_only"].(bool)
 			unixReadWrite := v["unix_read_write"].(bool)
 			rootAccessEnabled := v["root_access_enabled"].(bool)
+			kerberos5ro := v["kerberos_5_read_only_enabled"].(bool)
+			kerberos5rw := v["kerberos_5_read_write_enabled"].(bool)
+			kerberos5iro := v["kerberos_5i_read_only_enabled"].(bool)
+			kerberos5irw := v["kerberos_5i_read_write_enabled"].(bool)
+			kerberos5pro := v["kerberos_5p_read_only_enabled"].(bool)
+			kerberos5prw := v["kerberos_5p_read_write_enabled"].(bool)
 
 			result := volumes.ExportPolicyRule{
-				AllowedClients: utils.String(allowedClients),
-				Cifs:           utils.Bool(cifsEnabled),
-				Nfsv3:          utils.Bool(nfsv3Enabled),
-				Nfsv41:         utils.Bool(nfsv41Enabled),
-				RuleIndex:      utils.Int64(ruleIndex),
-				UnixReadOnly:   utils.Bool(unixReadOnly),
-				UnixReadWrite:  utils.Bool(unixReadWrite),
-				HasRootAccess:  utils.Bool(rootAccessEnabled),
+				AllowedClients:      utils.String(allowedClients),
+				Cifs:                utils.Bool(cifsEnabled),
+				Nfsv3:               utils.Bool(nfsv3Enabled),
+				Nfsv41:              utils.Bool(nfsv41Enabled),
+				Kerberos5ReadOnly:   utils.Bool(kerberos5ro),
+				Kerberos5ReadWrite:  utils.Bool(kerberos5rw),
+				Kerberos5iReadOnly:  utils.Bool(kerberos5iro),
+				Kerberos5iReadWrite: utils.Bool(kerberos5irw),
+				Kerberos5pReadOnly:  utils.Bool(kerberos5pro),
+				Kerberos5pReadWrite: utils.Bool(kerberos5prw),
+				RuleIndex:           utils.Int64(ruleIndex),
+				UnixReadOnly:        utils.Bool(unixReadOnly),
+				UnixReadWrite:       utils.Bool(unixReadWrite),
+				HasRootAccess:       utils.Bool(rootAccessEnabled),
 			}
 
 			results = append(results, result)
@@ -935,41 +995,29 @@ func flattenNetAppVolumeExportPolicyRule(input *volumes.VolumePropertiesExportPo
 		}
 
 		protocolsEnabled := []string{}
-		if v := item.Cifs; v != nil {
-			if *v {
-				protocolsEnabled = append(protocolsEnabled, "CIFS")
-			}
-		}
-		if v := item.Nfsv3; v != nil {
-			if *v {
-				protocolsEnabled = append(protocolsEnabled, "NFSv3")
-			}
-		}
-		if v := item.Nfsv41; v != nil {
-			if *v {
-				protocolsEnabled = append(protocolsEnabled, "NFSv4.1")
-			}
-		}
-		unixReadOnly := false
-		if v := item.UnixReadOnly; v != nil {
-			unixReadOnly = *v
+		if utils.NormaliseNilableBool(item.Cifs) {
+			protocolsEnabled = append(protocolsEnabled, "CIFS")
 		}
-		unixReadWrite := false
-		if v := item.UnixReadWrite; v != nil {
-			unixReadWrite = *v
+		if utils.NormaliseNilableBool(item.Nfsv3) {
+			protocolsEnabled = append(protocolsEnabled, "NFSv3")
 		}
-		rootAccessEnabled := false
-		if v := item.HasRootAccess; v != nil {
-			rootAccessEnabled = *v
+		if utils.NormaliseNilableBool(item.Nfsv41) {
+			protocolsEnabled = append(protocolsEnabled, "NFSv4.1")
 		}
 
 		result := map[string]interface{}{
-			"rule_index":          ruleIndex,
-			"allowed_clients":     utils.FlattenStringSlice(&allowedClients),
-			"unix_read_only":      unixReadOnly,
-			"unix_read_write":     unixReadWrite,
-			"root_access_enabled": rootAccessEnabled,
-			"protocols_enabled":   utils.FlattenStringSlice(&protocolsEnabled),
+			"allowed_clients":                utils.FlattenStringSlice(&allowedClients),
+			"kerberos_5_read_only_enabled":   utils.NormaliseNilableBool(item.Kerberos5ReadOnly),
+			"kerberos_5_read_write_enabled":  utils.NormaliseNilableBool(item.Kerberos5ReadWrite),
+			"kerberos_5i_read_only_enabled":  utils.NormaliseNilableBool(item.Kerberos5iReadOnly),
+			"kerberos_5i_read_write_enabled": utils.NormaliseNilableBool(item.Kerberos5iReadWrite),
+			"kerberos_5p_read_only_enabled":  utils.NormaliseNilableBool(item.Kerberos5pReadOnly),
+			"kerberos_5p_read_write_enabled": utils.NormaliseNilableBool(item.Kerberos5pReadWrite),
+			"protocols_enabled":              utils.FlattenStringSlice(&protocolsEnabled),
+			"root_access_enabled":            utils.NormaliseNilableBool(item.HasRootAccess),
+			"rule_index":                     ruleIndex,
+			"unix_read_only":                 utils.NormaliseNilableBool(item.UnixReadOnly),
+			"unix_read_write":                utils.NormaliseNilableBool(item.UnixReadWrite),
 		}
 		results = append(results, result)
 	}

diff --git a/website/docs/r/netapp_volume.html.markdown b/website/docs/r/netapp_volume.html.markdown
@@ -145,12 +145,18 @@ The following arguments are supported:
 
 * `encryption_key_source` - (Optional) The encryption key source, it can be `Microsoft.NetApp` for platform managed keys or `Microsoft.KeyVault` for customer-managed keys. This is required with `key_vault_private_endpoint_id`. Changing this forces a new resource to be created.
 
+* `kerberos_enabled` - (Optional) Enable to allow Kerberos secured volumes. Requires appropriate export rules.
+
+~> **NOTE:** `kerberos_enabled` requires that the parent `azurerm_netapp_account` has a *valid* AD connection defined. If the configuration is invalid, the volume will still be created but in a failed state. This requires manually deleting the volume and recreating it again via Terraform once the AD configuration has been corrected.
+
 * `key_vault_private_endpoint_id` - (Optional) The Private Endpoint ID for Key Vault, which is required when using customer-managed keys. This is required with `encryption_key_source`. Changing this forces a new resource to be created.
 
 * `smb_non_browsable_enabled` - (Optional) Limits clients from browsing for an SMB share by hiding the share from view in Windows Explorer or when listing shares in "net view." Only end users that know the absolute paths to the share are able to find the share. Defaults to `false`. For more information, please refer to [Understand NAS share permissions in Azure NetApp Files](https://learn.microsoft.com/en-us/azure/azure-netapp-files/network-attached-storage-permissions#:~:text=Non%2Dbrowsable%20shares,find%20the%20share.)
 
 * `smb_access_based_enumeration_enabled` - (Optional) Limits enumeration of files and folders (that is, listing the contents) in SMB only to users with allowed access on the share. For instance, if a user doesn't have access to read a file or folder in a share with access-based enumeration enabled, then the file or folder doesn't show up in directory listings. Defaults to `false`. For more information, please refer to [Understand NAS share permissions in Azure NetApp Files](https://learn.microsoft.com/en-us/azure/azure-netapp-files/network-attached-storage-permissions#:~:text=security%20for%20administrators.-,Access%2Dbased%20enumeration,in%20an%20Azure%20NetApp%20Files%20SMB%20volume.%20Only%20contosoadmin%20has%20access.,-In%20the%20below)
 
+* `smb_continuous_availability_enabled` - (Optional) Enable SMB Continuous Availability.
+
 * `tags` - (Optional) A mapping of tags to assign to the resource.
 
 -> **Note:** It is highly recommended to use the **lifecycle** property as noted in the example since it will prevent an accidental deletion of the volume if the `protocols` argument changes to a different protocol type.
@@ -171,6 +177,18 @@ An `export_policy_rule` block supports the following:
 
 * `root_access_enabled` - (Optional) Is root access permitted to this volume?
 
+* `kerberos_5_read_only_enabled` - (Optional) Is Kerberos 5 read-only access permitted to this volume?
+
+* `kerberos_5_read_write_enabled` - (Optional) Is Kerberos 5 read/write permitted to this volume?
+
+* `kerberos_5i_read_only_enabled` - (Optional) Is Kerberos 5i read-only permitted to this volume?
+
+* `kerberos_5i_read_write_enabled` - (Optional) Is Kerberos 5i read/write permitted to this volume?
+
+* `kerberos_5p_read_only_enabled` - (Optional) Is Kerberos 5p read-only permitted to this volume?
+
+* `kerberos_5p_read_write_enabled` - (Optional) Is Kerberos 5p read/write permitted to this volume?
+
 ---
 
 A `data_protection_replication` block is used when enabling the Cross-Region Replication (CRR) data protection option by deploying two Azure NetApp Files Volumes, one to be a primary volume and the other one will be the secondary, the secondary will have this block and will reference the primary volume, each volume must be in a supported [region pair](https://docs.microsoft.com/azure/azure-netapp-files/cross-region-replication-introduction#supported-region-pairs) and it supports the following: